Q&A: Former White House CIO Theresa Payton on why security pros should buck conventional wisdom
Anyone reading the headlines about data breaches, hackers and worse-case cyber scenarios can be forgiven for thinking the situation is hopeless. But it's not. The time has come, however, for infosec pros executives to change how they design security to begin with by focusing on the human, not the technology.
That's the assertion of Theresa Payton, the former CIO at the White House, star of the CBS series Hunted, and currently founder and CEO of security firm Fortalice.
I spoke with Payton ahead of our HIMSS Healthcare Security Forum in Boston, which takes place Oct.15-16, and where she will be the keynote speaker.
Q: What motivates you in your career protecting data and combating cybercriminals?
A: I feel like at this point in my career – based on all the blessings of experience – I've been trained and lead to really avenge the wrongs in the world and make them right. Whether that's working for the U.S. government or private sector companies and trying to prevent them from being hacked or coming in on an incident response and getting them back up and running and figuring out who did it so we can turn it over to law enforcement.
We also work with individuals as well and often times they have nowhere else to turn when someone has taken advantage of their cyber footprint and it's up to us to help them get their life back. I'm up against the clock. So for me, there's a lot of wrongs in the world and many government, business and individual people are impacted by it and I just feel like I'm up against the clock to make things right. I love outsmarting the bad guys.
Q: So, what's your secret for outsmarting cybercriminals?
A: I study them, my team studies them, we really know them, and we use that philosophy to outwit them. A lot of times it's not because you don't have a good security system or a good team or you haven't bought the right tools — they've got all day, their full-time job is to break into your network. Your full-time job is a lot of different priorities.
If we design to secure the human instead of designing to secure the tech we're going to be better off. More than 90 percent of breaches in the last 2 years were actually due to human error and over 75 percent involve tricking the user. We're approaching the 15th anniversary of National Cybersecurity Awareness Month and if you think about how much cybercrime has changed, how much technology has changed, but we're still talking about users clicking on links and opening attachments. We've got it all wrong. But if we start to design for the human, if we buck the conventional wisdom and get very creative and dynamic with our design, we're actually going to win.
Q: In which case, what would winning look like? When will infosec not be as interesting a conversation as it is now?
A: Just like people still go into brick-and-mortar, rob houses, rob banks and businesses, we're never entirely going to get away from that. Data breaches will continue to occur because technology by design is open, which means technology by design is open to hacking not just open to being updated, integrated and interconnected. But we will succeed in making the breaches less of a disaster.
If you think about the decades, almost a century, of the tactics that we've used to protect buildings or money or the transport of money, we've done a really good job creating deterrents and even when somebody does try to rob a bank or commit check or credit fraud, there are a lot of safety nets in place that help safeguard and reduce the actual theft. And we're just sort of very early on in how it relates to our digital lives – we've had a lot longer time to get it right in our physical lives and we're still in that learning and maturation process from a digital perspective.
Q: You've had a very high-profile career. What accomplishments are you most proud of?
A: The opportunity to be the chief information officer at the White House is an honor and I'm very proud to have been able to serve in that capacity. And I would say that one of the things we've been able to do as a profession is pro bono work to stop human trafficking and child exploitation, so being able to take our professional gift and do things pro bono. I'm certainly not at the level that I'd like to be in terms of focusing on pro bono work but being able to take those skills and use them, whether it's training law enforcement or nonprofits to use tools or aiding on cases where we're asked, or working on behalf of private individuals. To reunite someone with a loved one or end silent crimes going on in good neighborhoods and bad neighborhoods because a lot of these crimes don't discriminate based on socio-economics or zip code, so being able to contribute to that is another.
Q: And what professional regrets do you have?
A: I have no entrepreneurs in my family. We're a long line of U.S. military and law enforcement. If I look back on the founding of my company I would have taken more risk. I self-funded by investing my own retirement money into the company up and running until I could figure things out because I didn't want to hire a bunch of people and then not be able to meet payroll and things like that.
When I look back knowing how much we're up against the clock and the team and the way we think about solving these problems. Now knowing how many people are there that I could retrain to get them fighting in the good fight like former law enforcement and military, I would have taken more risk earlier and grown faster.
Q: As a last question, what advice would you give to other infosec pros?
A: I know they've heard this mantra before but we really need to internalize and live it: Cybersecurity and protecting what matters most, which could be your personal or company reputation, intellectual property, patient data, payment data, whatever it is, security really is a team sport.
The security team is outmanned, out-funded, outgunned, and it's up to all of us to ask ourselves with every digital action we take are we multitasking and not really paying attention to what we're doing here? Or are cognizant of the fact that I'm leaving a cyber footprint which could leave digital tracks to somebody finding an unlocked door? And am I doing everything I can to support the security team and making sure that what matters most is kept safe.
Healthcare Security Forum
The Boston forum to focus on business-critical information healthcare security pros need Oct. 15-16.